29 March 2023

The Dangers of a New Russian Proposal for a UN Convention on International Information Security

Valentin Weber

On March 7, 2023, Russia submitted its vision for a Convention of the UN on Ensuring International Information Security to the UN Open-Ended Working Group on Security of and in the Use of Information and Communications Technologies (OEWG). If the nine page document gains traction within the United Nations, it could undermine accountability of state actions in cyberspace and severely harm digital human rights.

The OEWG is a forum that facilitates discussions on international cybersecurity under the auspices of the first Committee of the United Nations General Assembly. The process was initiated by Russia to rival the UN Governmental Group of Experts that consisted of a selected group of countries, but which dealt with the same issues. Since 2019, within the OEWG, delegates of UN member states have, on a biannual and triannual basis, shared their perceptions of current and emerging threats, ways to build cybersecurity capacity, establish confidence building measures and understand how international law applies to cyberspace. Throughout the OEWG Russia has repeatedly called for a treaty to be established. Considering that Russia submitted its concept recently, it views the time as ripe to take this step.

In the opening paragraphs Russia contends that a legally binding treaty is needed as there are gaps in current international law. But many states (e.g. Sweden, South Korea, Colombia, Austria, and the United States) agree that there are no such gaps, and only further clarification of existing international law is needed. All countries have for instance agreed to the applicability of the UN Charter (a binding legal treaty) to cyberspace.

The Russian concept note calls for sovereign equality, the territorial integrity of states and noninterference in the internal affairs of others through propaganda and other means. Considering Russia’s countless cyber operations against Ukraine and its trolling activities abroad this is pure hypocrisy.

The threat section of the submission is from an authoritarian playbook—what matters is social and economic stability. It does mention human rights, primarily the right to privacy. All other rights such as freedom of expression and assembly are deprioritized.

While the document refers to human rights and fundamental freedoms, it merely elaborates on the freedom of expression and calls for the possibility of it being restricted for national security, public order and moral reasons. The mentioning of human rights is counterbalanced with security language.

Russia calls for the inadmissibility of unsubstantiated attributions, in particular if those are used to justify sanctions. However, attribution and the imposition of sanctions is a national prerogative of states and plays an important part in creating accountability in cyberspace. Of course, more evidence is better, and the United States especially has been transparent in providing evidence for its attribution statements. Ironically, it is Russian attributions of cyber operations that have been the ones lacking evidence.

When it comes to capacity building the Russian concept paper argues that this should be done under UN auspices, adding that there could be public-private partnerships. This framing shows that Russia prefers intergovernmental efforts over public-private collaborations that have been streamlined through organizations such as the Global Forum on Cyber Expertise.

Also of interest, Russia argues for the establishment of institutional mechanisms (the document does not specify whether the mechanisms are envisaged at the national or global level) to ensure de-anonymization in the information space. Here it appears that Russia aims to legitimize extensive domestic surveillance to bolster regime security and crack down on dissent.

It is not just about what the document contains, but also what is left out. There is no mention of the applicability of international human rights law, explicit mention of the normative framework of responsible state behavior, the threat of ransomware and the active role of multistakeholders.

In the way the Russian concept for a convention is organizationally set up, it would be the sole UN process on international information security after 2025, sidelining the mandate of the current OEWG. It contains mechanisms to verify implementation and regular review conferences. But a convention process requires more human resources than the existing OEWG (e.g. experts would have to be flown in). Countries simply would not have the resources to engage in any other UN negotiations on international cybersecurity.

Drafting such a convention would take years of negotiation, delaying international action on cybersecurity and accountability. Take for instance the Cybercrime Convention negotiations that have taken place in the third committee of the United Nations since 2021 and are scheduled to conclude its work by February 2024. The UN convention negotiations on marine biological diversity took five years. In other words, an international cybersecurity convention would mean a setback of at least several years on serious efforts regarding implementation. In a statement at the fourth substantive session of the OEWG in March 2023, Russia, as well as Iran, claimed that there would be accountability for states regarding their behavior in cyberspace (e.g. attacking critical infrastructure during peacetime) only once a legally binding treaty is adopted by member states. With the rival Cyber Program of Action (see next paragraph) mechanisms to foster accountability of states could be implemented immediately.

The chances of the Russian convention proposal replacing the current OEWG are unclear. In October 2022, a Russian-led resolution that encourages discussions within the OEWG regarding a permanent institutional dialogue post-2025 garnered 112 votes in favor. During the same month, an alternative Franco-Egyptian-led resolution for a Program of Action for Advancing Responsible Behavior in Cyberspace (PoA) gained the support of 157 states in the General Assembly. While the PoA resolution gained more support, Russian-led initiatives still received the support of a majority of UN member states, demonstrating the difficulty of agreeing on one process.

While the PoA was already launched in October 2020, it remains abstract. Similar to other UN PoAs, the cyber PoA would lay out specific recommendations for states to implement. In its current form, countries will be encouraged to regularly complete a national implementation survey, which documents, among other things, how countries classify the scale and seriousness of cybersecurity incidents. As opposed to the Russian proposed convention, the cyber PoA would not be legally binding.

With the Russian concept note emerging, the PoA-sponsoring countries will have to move quicker and become more concrete as to their proposal. How will the PoA efforts regarding capacity building be different from Russian efforts? To demonstrate the novelty of the PoA, capacity building efforts proposed in the PoA should be measurable. The national implementation survey, for instance, should have a scoring system (e.g. fifty out of one hundred). The more countries progress in capacity building measures, the higher they move up in the national implementation survey scoring system. In addition to this, PoA sponsoring countries could propose the pairing of countries who have stronger capacities with those that have lower capacities (national survey buddies). As there are more developing than developed countries, the former should (if possible) take on more countries to help with capacity building.

While the PoA has many advantages, Russia is apt at twisting words and doing convincing for its own proposal. So, the near-future of cyber diplomacy is open and it will be decided in the next year or two in the remaining mandate of the OEWG.

No comments: